{
	"id": "79cfd0e5-cd76-4f7a-a733-43ed0d1b2357",
	"created_at": "2026-04-06T00:09:01.888824Z",
	"updated_at": "2026-04-10T03:37:08.969767Z",
	"deleted_at": null,
	"sha1_hash": "0d5fb23186473747eedea2d64f4acd38e6843a29",
	"title": "Past Cyber Operations Against Ukraine and What May Be Next",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 72175,
	"plain_text": "Past Cyber Operations Against Ukraine and What May Be Next\r\nBy CrowdStrike Intelligence Team\r\nArchived: 2026-04-05 13:39:47 UTC\r\nDisruptive and destructive cyber operations have been levied against elements of Ukrainian society by adversaries\r\nattributed to the Russian government — or groups highly likely to be controlled by them — since at least 2014.\r\nThese operations have impacted several sectors, including energy, transportation and state finance, and have\r\nattempted to influence political processes and affect businesses more broadly within the country. These operations\r\nhave been conducted in a semi-deniable manner, providing enough evidence to arouse suspicion of the likely\r\nperpetrators — so as to ensure that intended messaging is conveyed to targeted entities — while also obfuscating\r\nthe activity’s origins. CrowdStrike attributes the majority of the known offensive operations against Ukraine to\r\nVOODOO BEAR, an adversary highly likely controlled by the Main Intelligence Directorate of the General Staff\r\nof the Armed Forces of the Russian Federation (GRU). The impact of offensive operations is rarely constrained to\r\nthe initial target entity, with collateral damage occurring either directly through corruption of computer networks\r\nor indirectly through interruption of critical business services on which organizations rely for day-to-day\r\noperation. Analysis of previous activities has identified several situations in which apparently localized targeting\r\nhas caused unintended consequences to organizations outside of Ukraine. This blog will evaluate major disruptive\r\nevents against Ukrainian interests in the past and attempt to forecast likely forms and outcomes of future\r\noperations within the region.\r\nDetail\r\nTechniques employed by VOODOO BEAR to facilitate and deliver destructive effects have evolved over the\r\nyears, from the distribution of targeted wiper malware via custom loaders to mimicking the effect of ransomware\r\ndeployments using wider-reaching distribution mechanisms such as supply chain and strategic web compromises\r\n(SWC). However, the pretense of ransomware is often superficial and its implementation is not consistent with\r\nfinancially motivated criminal actors. There is also evidence to suggest that the adversary has leveraged attribution\r\nfronts claiming to be motivated by hacktivist ideologies alongside destructive campaigns, likely in an attempt to\r\namplify the effects of the attacks by publicizing them more widely. CrowdStrike Intelligence has reported\r\nextensively on VOODOO BEAR operations within Ukraine, with overviews of their evolving operations available\r\nto our premium intelligence subscribers. These campaigns are assessed to likely contribute to psychological\r\noperations seeking to degrade, delegitimize or otherwise influence public trust in state institutions and industry\r\nsectors in the country.\r\n2014-2016: Targeted Attacks Using Custom Delivery Malware\r\nEarly destructive operations attributed to VOODOO BEAR have targeted a range of sectors within Ukraine, often\r\nleveraging a combination of the BlackEnergy malware (version 3) and the KillDisk (aka PassKillDisk) wiper.\r\nMany campaigns were timed to coincide with specific events or seasons, while the events in December 2016\r\nhttps://www.crowdstrike.com/blog/lessons-from-past-cyber-operations-against-ukraine/\r\nPage 1 of 5\n\ncould be interpreted as a persistent execution of successive attacks designed to have a multiplicative disruptive\r\neffect on the country. These operations included:\r\nMay 2014: targeting of energy and transportation organizations\r\nOctober 2015: targeting of media outlets, coinciding with local elections\r\nDecember 2015: targeting of an energy provider in western Ukraine\r\nDecember 2016: targeting of state-operated financial institutions (FIs) and rail companies\r\nDecember 2016: targeting of an energy provider causing power outages in Kiev\r\nDecember 2016: targeting of the Ukrainian State Hydrographic Service\r\nDespite the relatively focused targeting in each of these cases, variants of the KillDisk malware distributed in\r\nDecember 2016 were modified to mimic ransomware and hacktivist intent, foreshadowing later developments in\r\noperational tactics, techniques and procedures (TTPs). Observations of contemporary activity in this period\r\nsuggest that attribution fronts adopting hacktivist personas were used to publicly release data from Ukrainian\r\norganizations alongside these offensive operations, although the exact nature of their coordination is unclear. For\r\nexample, the CyberBerkut collective claimed responsibility for destructive and denial-of-service (DoS) attacks\r\nagainst the Ukrainian Central Election Commission (CEC) in May 2014, after which the group began publishing\r\nsensitive emails and internal documents from the CEC to support their claim. Similarly, in December 2016, a pro-Russia hacktivist group called Sprut leaked a series of documents related to the finances of the Ukrainian\r\ngovernment’s state energy company. Later that month, the group announced they had disrupted the main website\r\nof the Ukrainian Energy company Ukrenergo, which had publicly acknowledged that internal systems had been\r\naccessed on Dec. 17-18, 2016. Information operations (IO) combining public (disruptive) and non-public\r\n(destructive) intent are highly likely representative of attempts to amplify the effects of damage to government\r\nsystems by controlling public narrative over an extended period.\r\n2016-2017: Increased Deniability and Scale Through the Use of Pseudo-Ransomware\r\nVOODOO BEAR’s destructive operations in 2017 marked a distinct change in deployment and destructive\r\npayload TTPs. Building on earlier attempts to masquerade wipers as criminal ransomware, several campaigns\r\nusing different — but technically linked — pseudo-ransomware families were deployed by the adversary against\r\nUkrainian entities. Of particular note was the adoption of several deployment techniques that greatly amplified the\r\npotential scope and destructive implications of these operations. The use of supply chain compromise and SWC\r\nmethodologies vastly increased the number of victims impacted by each campaign, and worm-like propagation\r\nmechanisms supported by the Mimikatz credential-stealing tool and the EternalBlue exploit for the CVE-2017-\r\n0144 vulnerability increased the potential impact on networks after initial infection. These operations included:\r\nJanuary 2017: Filecoder.NKH was deployed via a supply chain compromise of a Ukrainian IT company\r\nMay 2017: XDATA was deployed for a short period via the software update mechanism of M.E. Doc, a\r\nUkrainian accounting software product used by many companies either located — or operating — within\r\nUkraine\r\nJune 2017: FakeCry also was deployed via a malicious M.E. Doc update, a malware family impersonating\r\nthe infamous WannaCry ransomware\r\nJune 2017: NotPetya was deployed via the same M.E. Doc mechanism, with earlier tests likely deployed\r\nvia SWC of a Ukrainian media website\r\nhttps://www.crowdstrike.com/blog/lessons-from-past-cyber-operations-against-ukraine/\r\nPage 2 of 5\n\nOctober 2017: BadRabbit was deployed against Ukrainian transport networks via SWC of websites in\r\nseveral countries including Ukraine, Russia, Turkey and Bulgaria\r\nObservations of a phased approach to the distribution of pseudo-ransomware variants across multiple delivery\r\nvectors suggest that campaigns in early 2017 may have been tests for the wider distribution of NotPetya, which\r\nwas apparently timed to coincide with Ukraine’s Constitution Day. However, distribution of NotPetya via the M.E.\r\nDoc update mechanism — also used by non-Ukrainian organizations — and the implementation of unconstrained\r\npropagation techniques resulted in global spread with likely unintended impact to a wide variety of sectors\r\nincluding logistics, healthcare and retail. The BadRabbit campaign also appeared to have resulted in collateral\r\ndamage against some Russia-based organizations, likely as a result of victims visiting websites used to distribute\r\nthe malware.\r\n2022: Hybrid Operations Using Multiple Campaign Stages\r\nJanuary 2022 reporting on what CrowdStrike tracks as the WhisperedDebate activity cluster involving website\r\ndefacements and WhisperGate wiper operations against Ukrainian government networks demonstrates the\r\ncontinued intent to disrupt state institutions. CrowdStrike Intelligence does not currently attribute\r\nWhisperedDebate to a named adversary (e.g., VOODOO BEAR), although high-level parallels to previous\r\noperations, the Ukrainian focus and timing of the activity strongly suggest a Russia-nexus adversary or a group\r\naligned with their interests. Public statements from the Ukrainian government suggest that the scope of this\r\noperation was relatively constrained compared to VOODOO BEAR campaigns in 2017, although it is unknown\r\nwhether this was intentional or representative of operational difficulties experienced by the adversary. However,\r\nthe likely manual malware distribution vector employed and the focus on targeting of government networks —\r\nand other destructive attacks against IT service providers, likely in an attempt to cover up evidence of initial\r\nintrusion vectors — indicates that limited impact was intentional in this case. CrowdStrike has identified several\r\nattempts to distribute data purportedly acquired from several government organizations shortly after they had been\r\ntargeted during the WhisperedDebate campaign, supporting claims made in the website defacement messages.\r\nWhile links between these events have not been conclusively proven at the time of writing, data leak evidence\r\npresented by several personas presenting hacktivist or criminal motivations may be representative of an attempt to\r\nexecute an IO campaign to successively release personally identifiable information (PII), contrary to repeated\r\nstatements from Ukrainian officials that no data had been taken during the network intrusions. These attempts can\r\nseek to degrade public trust in the government’s ability to effectively address the breaches. This use of IO mirrors\r\nearlier VOODOO BEAR TTPs, where the CyberBerkut and Sprut group personas contemporaneously released\r\nprivate data from Ukrainian organizations. The introduction of publicly visible website defacements during the\r\nWhisperedDebate activity provides an additional facet to the operation that can be easily picked up and amplified\r\nby media outlets.\r\nAssessment\r\nThe extended history of destructive VOODOO BEAR operations against Ukrainian entities indicates a\r\ncommitment to the execution of psychological operations against the local populace. This represents ongoing\r\nRussian government efforts to influence Ukraine against a backdrop of national security and populist policies.\r\nUltimately, these operations and their intended effects are complementary to the Russian government’s overall\r\nhttps://www.crowdstrike.com/blog/lessons-from-past-cyber-operations-against-ukraine/\r\nPage 3 of 5\n\nstrategy pertaining to Ukraine, although they do not appear to be specifically linked to overt diplomatic efforts or\r\nmilitary maneuvers, and instead are likely intended as a separate tool that can be used to selectively increase\r\ntension within Ukraine and destabilize public trust in Ukrainian government institutions. The precise endgame for\r\nthese actions is unclear, although coercing the population to reject closer ties with the West, establishing new\r\nleadership more favorable to Russia or preparing for military action similar to the 2014 annexation of Crimea are\r\nall possible intended outcomes. CrowdStrike anticipates that future offensive operations against Ukraine will most\r\nlikely take the form of destructive wiping attacks masquerading as ransomware. This assessment is made with\r\nmoderate confidence, based on a successive evolution of technical TTPs and the acknowledgement that this type\r\nof operation can have the desired disruptive effect and signal deeper intent, while still avoiding taking direct\r\nresponsibility for the attacks. The contemporaneous use of IO campaigns to launder and publicize PII or other\r\nsensitive data stolen during network breaches and draw media awareness through website defacement activity is\r\nalso likely to occur as part of hybrid operations in the future. A low chance of DoS attacks may be present in\r\nfuture campaigns, although this technique has not been observed in recent years and arguably has little lasting\r\neffect on targeted organizations. DoS would most likely be used in combination with other offensive actions such\r\nas wiping attacks, or to bolster credentials within hacktivist communities. Based on observations of past events\r\nsuch as the spread of NotPetya, disruptive and destructive attacks against Ukraine are likely to have broader\r\nimplications, including potential impacts to organizations based outside the country. Collateral damage is\r\nparticularly likely to be experienced by companies that operate subsidiaries within Ukraine or possess network\r\nassets interconnected with Ukrainian organizations. This assessment is made with moderate confidence, although\r\nthere is evidence to suggest that subsequent operations have attempted to limit the scope of unconstrained\r\nmalware propagation, likely due to the significant unintended fallout of NotPetya. Outside of being directly\r\nimpacted by destructive attacks, organizations relying on Ukrainian logistics networks are likely to experience\r\ndisruptive effects of any future operations targeting part of the Ukrainian transport sector. Destructive attacks\r\nintentionally targeted at organizations outside the country — such as those headquartered within countries\r\nsupportive of Ukraine’s position against Russia, including the U.S. and those in Europe — cannot be completely\r\ndiscounted, although this is assessed as an unlikely scenario due to the risk of uncontrolled escalation of\r\ninternational tension and punitive measures, including direct retaliatory actions by other governments. However,\r\nthe incidental targeting of international businesses operating within Ukraine may be used by Russian-nexus\r\nadversaries to dissuade business operations and investment and destabilize the local economy.\r\nCrowdStrike Intelligence Confidence Assessment\r\nHigh Confidence: Judgments are based on high-quality information from multiple sources. High confidence in\r\nthe quality and quantity of source information supporting a judgment does not imply that that assessment is an\r\nabsolute certainty or fact. The judgment still has a marginal probability of being inaccurate. Moderate\r\nConfidence: Judgments are based on information that is credibly sourced and plausible, but not of sufficient\r\nquantity or corroborated sufficiently to warrant a higher level of confidence. This level of confidence is used to\r\nexpress that judgments carry an increased probability of being incorrect until more information is available or\r\ncorroborated. Low Confidence: Judgments are made where the credibility of the source is uncertain, the\r\ninformation is too fragmented or poorly corroborated enough to make solid analytic inferences, or the reliability of\r\nthe source is untested. Further information is needed for corroboration of the information or to fill known\r\nintelligence gaps.\r\nhttps://www.crowdstrike.com/blog/lessons-from-past-cyber-operations-against-ukraine/\r\nPage 4 of 5\n\nAdditional Resources\r\nFind out how to stop adversaries targeting your industry — schedule a free 1:1 intel briefing with a\r\nCrowdStrike threat intelligence expert today.\r\nLearn how CROWDSTRIKE FALCON® INTELLIGENCE™ Premium cyber threat intelligence enables\r\nyour security teams to become intelligence-led by exposing the adversaries and evolving tradecraft\r\ntargeting your business.\r\nLearn about the powerful, cloud-native CrowdStrike Falcon® platform by visiting the product webpage.\r\nGet a full-featured free trial of CrowdStrike Falcon® Prevent™ to see for yourself how true next-gen AV\r\nperforms against today’s most sophisticated threats.\r\nSource: https://www.crowdstrike.com/blog/lessons-from-past-cyber-operations-against-ukraine/\r\nhttps://www.crowdstrike.com/blog/lessons-from-past-cyber-operations-against-ukraine/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.crowdstrike.com/blog/lessons-from-past-cyber-operations-against-ukraine/"
	],
	"report_names": [
		"lessons-from-past-cyber-operations-against-ukraine"
	],
	"threat_actors": [
		{
			"id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df",
			"created_at": "2023-01-06T13:46:38.402513Z",
			"updated_at": "2026-04-10T02:00:02.959797Z",
			"deleted_at": null,
			"main_name": "Sandworm",
			"aliases": [
				"IRIDIUM",
				"Blue Echidna",
				"VOODOO BEAR",
				"FROZENBARENTS",
				"UAC-0113",
				"Seashell Blizzard",
				"UAC-0082",
				"APT44",
				"Quedagh",
				"TEMP.Noble",
				"IRON VIKING",
				"G0034",
				"ELECTRUM",
				"TeleBots"
			],
			"source_name": "MISPGALAXY:Sandworm",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "7bd810cb-d674-4763-86eb-2cc182d24ea0",
			"created_at": "2022-10-25T16:07:24.1537Z",
			"updated_at": "2026-04-10T02:00:04.883793Z",
			"deleted_at": null,
			"main_name": "Sandworm Team",
			"aliases": [
				"APT 44",
				"ATK 14",
				"BE2",
				"Blue Echidna",
				"CTG-7263",
				"FROZENBARENTS",
				"G0034",
				"Grey Tornado",
				"IRIDIUM",
				"Iron Viking",
				"Quedagh",
				"Razing Ursa",
				"Sandworm",
				"Sandworm Team",
				"Seashell Blizzard",
				"TEMP.Noble",
				"UAC-0082",
				"UAC-0113",
				"UAC-0125",
				"UAC-0133",
				"Voodoo Bear"
			],
			"source_name": "ETDA:Sandworm Team",
			"tools": [
				"AWFULSHRED",
				"ArguePatch",
				"BIASBOAT",
				"Black Energy",
				"BlackEnergy",
				"CaddyWiper",
				"Colibri Loader",
				"Cyclops Blink",
				"CyclopsBlink",
				"DCRat",
				"DarkCrystal RAT",
				"Fobushell",
				"GOSSIPFLOW",
				"Gcat",
				"IcyWell",
				"Industroyer2",
				"JaguarBlade",
				"JuicyPotato",
				"Kapeka",
				"KillDisk.NCX",
				"LOADGRIP",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"ORCSHRED",
				"P.A.S.",
				"PassKillDisk",
				"Pitvotnacci",
				"PsList",
				"QUEUESEED",
				"RansomBoggs",
				"RottenPotato",
				"SOLOSHRED",
				"SwiftSlicer",
				"VPNFilter",
				"Warzone",
				"Warzone RAT",
				"Weevly"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa",
			"created_at": "2022-10-25T16:47:55.919702Z",
			"updated_at": "2026-04-10T02:00:03.618194Z",
			"deleted_at": null,
			"main_name": "IRON VIKING",
			"aliases": [
				"APT44 ",
				"ATK14 ",
				"BlackEnergy Group",
				"Blue Echidna ",
				"CTG-7263 ",
				"ELECTRUM ",
				"FROZENBARENTS ",
				"Hades/OlympicDestroyer ",
				"IRIDIUM ",
				"Qudedagh ",
				"Sandworm Team ",
				"Seashell Blizzard ",
				"TEMP.Noble ",
				"Telebots ",
				"Voodoo Bear "
			],
			"source_name": "Secureworks:IRON VIKING",
			"tools": [
				"BadRabbit",
				"BlackEnergy",
				"GCat",
				"NotPetya",
				"PSCrypt",
				"TeleBot",
				"TeleDoor",
				"xData"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6",
			"created_at": "2022-10-25T15:50:23.339976Z",
			"updated_at": "2026-04-10T02:00:05.27483Z",
			"deleted_at": null,
			"main_name": "Sandworm Team",
			"aliases": [
				"Sandworm Team",
				"ELECTRUM",
				"Telebots",
				"IRON VIKING",
				"BlackEnergy (Group)",
				"Quedagh",
				"Voodoo Bear",
				"IRIDIUM",
				"Seashell Blizzard",
				"FROZENBARENTS",
				"APT44"
			],
			"source_name": "MITRE:Sandworm Team",
			"tools": [
				"Bad Rabbit",
				"Mimikatz",
				"Exaramel for Linux",
				"Exaramel for Windows",
				"GreyEnergy",
				"PsExec",
				"Prestige",
				"P.A.S. Webshell",
				"AcidPour",
				"VPNFilter",
				"Neo-reGeorg",
				"Cyclops Blink",
				"SDelete",
				"Kapeka",
				"AcidRain",
				"Industroyer",
				"Industroyer2",
				"BlackEnergy",
				"Cobalt Strike",
				"NotPetya",
				"KillDisk",
				"PoshC2",
				"Impacket",
				"Invoke-PSImage",
				"Olympic Destroyer"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434141,
	"ts_updated_at": 1775792228,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/0d5fb23186473747eedea2d64f4acd38e6843a29.pdf",
		"text": "https://archive.orkl.eu/0d5fb23186473747eedea2d64f4acd38e6843a29.txt",
		"img": "https://archive.orkl.eu/0d5fb23186473747eedea2d64f4acd38e6843a29.jpg"
	}
}